SecurityPkg: SecureBootConfigDxe: Support AUTH_2 enrollment to DBX

[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / SecureBootConfigDxe / SecureBootConfig.vfr

diff --git a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
index 484da2c0cabdf84f9ec3435afcce788e672b3e89..bbecff2b085dfa83a867283fc34b286ddb9dd9eb 100644 (file)
--- a/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
+++ b/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr
@@ -1,7 +1,7 @@
 /** @file\r
   VFR file used by the SecureBoot configuration component.\r
 \r
-Copyright (c) 2011 - 2016, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) 2011 - 2017, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials\r
 are licensed and made available under the terms and conditions of the BSD License\r
 which accompanies this distribution.  The full text of the license may be found at\r
@@ -33,14 +33,6 @@ formset
 \r
     subtitle text = STRING_TOKEN(STR_NULL);\r
 \r
-    //\r
-    // Display current secure boot mode(one of SetupMode/AuditMode/UserMode/DeployedMode)\r
-    //\r
-    text\r
-      help   = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_HELP),\r
-      text   = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_PROMPT),\r
-        text   = STRING_TOKEN(STR_CUR_SECURE_BOOT_MODE_CONTENT);\r
-\r
     text\r
       help   = STRING_TOKEN(STR_SECURE_BOOT_STATE_HELP),\r
       text   = STRING_TOKEN(STR_SECURE_BOOT_STATE_PROMPT),\r
@@ -49,7 +41,7 @@ formset
     //\r
     // Display of Check Box: Attempt Secure Boot\r
     //\r
-    grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1;\r
+    grayoutif ideqval SECUREBOOT_CONFIGURATION.HideSecureBoot == 1 OR NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;\r
     checkbox varid = SECUREBOOT_CONFIGURATION.AttemptSecureBoot,\r
           questionid = KEY_SECURE_BOOT_ENABLE,\r
           prompt = STRING_TOKEN(STR_SECURE_BOOT_PROMPT),\r
@@ -71,7 +63,7 @@ formset
     endoneof;\r
 \r
     //\r
-    // Display PK include page\r
+    // Display of 'Current Secure Boot Mode'\r
     //\r
     suppressif questionref(SecureBootMode) == SECURE_BOOT_MODE_STANDARD;\r
     grayoutif NOT ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 1;\r
@@ -93,33 +85,6 @@ formset
 \r
     subtitle text = STRING_TOKEN(STR_NULL);\r
 \r
-    //\r
-    // Display of SetupMode/UserMode/AuditMode/DeployedMode transition\r
-    //\r
-    oneof name   = TransSecureBootMode,\r
-            questionid = KEY_TRANS_SECURE_BOOT_MODE,\r
-            prompt = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_PROMPT),\r
-            help   = STRING_TOKEN(STR_TRANS_SECURE_BOOT_MODE_HELP),\r
-            flags  = INTERACTIVE | NUMERIC_SIZE_1,\r
-      suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE \r
-              OR (ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE AND\r
-                  ideqval SECUREBOOT_CONFIGURATION.PhysicalPresent == 0);\r
-            option text = STRING_TOKEN(STR_USER_MODE),     value = SECURE_BOOT_MODE_USER_MODE,   flags = 0;\r
-      endif\r
-      suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_AUDIT_MODE;\r
-            option text = STRING_TOKEN(STR_SETUP_MODE),    value = SECURE_BOOT_MODE_SETUP_MODE,  flags = 0;\r
-      endif\r
-      suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_DEPLOYED_MODE;\r
-            option text = STRING_TOKEN(STR_AUDIT_MODE),    value = SECURE_BOOT_MODE_AUDIT_MODE,  flags = 0;\r
-      endif\r
-      suppressif ideqval SECUREBOOT_CONFIGURATION.CurSecureBootMode == SECURE_BOOT_MODE_SETUP_MODE;\r
-            option text = STRING_TOKEN(STR_DEPLOYED_MODE), value = SECURE_BOOT_MODE_DEPLOYED_MODE,  flags = 0;\r
-      endif\r
-\r
-    endoneof;\r
-\r
-    subtitle text = STRING_TOKEN(STR_NULL);\r
-\r
     goto FORMID_SECURE_BOOT_PK_OPTION_FORM,\r
          prompt = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION),\r
          help   = STRING_TOKEN(STR_SECURE_BOOT_PK_OPTION_HELP),\r
@@ -481,26 +446,44 @@ formset
     label LABEL_END;\r
     subtitle text = STRING_TOKEN(STR_NULL);\r
 \r
-    string  varid   = SECUREBOOT_CONFIGURATION.SignatureGuid,\r
-            prompt  = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),\r
-            help    = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),\r
-            flags   = INTERACTIVE,\r
-            key     = KEY_SECURE_BOOT_SIGNATURE_GUID_DBX,\r
-            minsize = SECURE_BOOT_GUID_SIZE,\r
-            maxsize = SECURE_BOOT_GUID_SIZE,\r
-    endstring;\r
+    grayoutif ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;\r
+      string  varid   = SECUREBOOT_CONFIGURATION.SignatureGuid,\r
+              prompt  = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID),\r
+              help    = STRING_TOKEN(STR_SECURE_BOOT_SIGNATURE_GUID_HELP),\r
+              flags   = INTERACTIVE,\r
+              key     = KEY_SECURE_BOOT_SIGNATURE_GUID_DBX,\r
+              minsize = SECURE_BOOT_GUID_SIZE,\r
+              maxsize = SECURE_BOOT_GUID_SIZE,\r
+      endstring;\r
+    endif;\r
 \r
-    oneof name = SignatureFormatInDbx,\r
-          varid       = SECUREBOOT_CONFIGURATION.CertificateFormat,\r
-          prompt      = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),\r
-          help        = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x2, flags = DEFAULT;\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x3, flags = 0;\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x4, flags = 0;\r
-          option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x5, flags = 0;\r
-    endoneof;\r
+    disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 1;\r
+      oneof name = X509SignatureFormatInDbx,\r
+            varid       = SECUREBOOT_CONFIGURATION.CertificateFormat,\r
+            prompt      = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),\r
+            help        = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_HELP),\r
+            option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA256), value = 0x1, flags = DEFAULT;\r
+            option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA384), value = 0x2, flags = 0;\r
+            option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_SHA512), value = 0x3, flags = 0;\r
+            option text = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_RAW), value = 0x4, flags = 0;\r
+      endoneof;\r
+    endif;\r
+\r
+    disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 2;\r
+      text\r
+        help   = STRING_TOKEN(STR_DBX_PE_IMAGE_FORMAT_HELP),          // Help string\r
+        text   = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),     // Prompt string\r
+        text   = STRING_TOKEN(STR_DBX_PE_FORMAT_SHA256);              // PE image type\r
+    endif;\r
+\r
+    disableif NOT ideqval SECUREBOOT_CONFIGURATION.FileEnrollType == 3;\r
+      text\r
+        help   = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT_HELP),            // Help string\r
+        text   = STRING_TOKEN(STR_DBX_CERTIFICATE_FORMAT_PROMPT),     // Prompt string\r
+        text   = STRING_TOKEN(STR_DBX_AUTH_2_FORMAT);                 // AUTH_2 image type\r
+    endif;\r
 \r
-    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 5;\r
+    suppressif ideqval SECUREBOOT_CONFIGURATION.CertificateFormat == 4;\r
         checkbox varid  = SECUREBOOT_CONFIGURATION.AlwaysRevocation,\r
                prompt = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_PROMPT),\r
                help   = STRING_TOKEN(STR_ALWAYS_CERTIFICATE_REVOCATION_HELP),\r